Security of EHR, etc


(Tony McCormick) #1

Security is always a topic worth discussing… Patient Portals are a big issue and we need to discuss models that are NOT browse directly into the data models …

This extract from: http://www.emrandhipaa.com/guest/2017/06/21/compromise-assessments-penetration-testing-in-healthcare/

True Health Diagnostics, a Frisco, TX-based healthcare services company recently became aware of a security flaw in their patient portal after an IT consultant logged in to view their test results and accessed other patient’s records by accident. Upon investigating the issue it was determined that because True Health uses sequential numbers on their patient record PDF files, users of the patient portal could easily alter a digit in the URL and therefore view the medical information of other patients (also known as Forceful Browsing)._

We need to move forward with API (like FHIR) based solutions for access to patient data via apps, not portals.


(Bob Hoyt) #2

@tony

The vulnerability of OpenEMR made the press today. I have no idea if LibreHealth shares the same


(Art Eaton) #3

Yeah, that is a file you supposed to remove after setup.

Wouldn’t call this really “The Press” though…it’s someone’s mostly contextually irrelevant blog post. Where and how they would possibly come up with a “90 million patients” number clues me into the fact that it is not exactly a…a peer-reviewable paper…


(Tony McCormick) #4

Plus the “fix” is to simply delete the setup.php file after the setup is completed, as instructed.

We have a more elegant solution in the works, but it’s not a real vulnerability, its a security service using OpenEMR to advertise himself since he can’t do this kind of work on a proprietary product. The community typically benefits from this kind of transparency.


(Robby O'Connor) #5

Removed the setup.php file.